Hi,

problem is in you config, both class are pointing to same VIP and PORT, so first class will be only HIT.

try this confgiuration

policy-map type loadbalance first-match NON_AUTHENT_PM

  class NON_AUTHENT_CM   --------for desired client source IP's

    serverfarm PROXY_HTTP_SF

    nat dynamic 6 vlan 1601 serverfarm primary

  class class-default    ------for rest of client IP's

    serverfarm PROXY_HTTP_SF

    nat dynamic 5 vlan 1601 serverfarm primary

and remove NAT from multi-match policy. use single class, so rest of config will be

serverfarm host PROXY_HTTP_SF

  description Proxied Internet Connections

  probe PROXY_HTTP_PROBE

  fail-on-all

  rserver ELFCPRXY1

    inservice

  rserver ELFCPRXY2

    inservice

  rserver ELFCPRXY3

    inservice

class-map match-any NONAUTHENT_HTTP_VIP

  3 match virtual-address 10.10.240.5 tcp eq 80

class-map type http loadbalance match-any NON_AUTHENT_CM

  description Subnets from which Internet Authentication is not Required

  3 match source-address 10.10.16.0 255.255.240.0

  4 match source-address 10.10.32.0 255.255.240.0

  5 match source-address 10.10.48.0 255.255.240.0

policy-map type loadbalance first-match NON_AUTHENT_PM

  class NON_AUTHENT_CM

    serverfarm PROXY_HTTP_SF

    nat dynamic 6 vlan 1601 serverfarm primary

  class class-default

    serverfarm PROXY_HTTP_SF

    nat dynamic 5 vlan 1601 serverfarm primary

policy-map multi-match LOAD_BAL

  class NONAUTHENT_HTTP_VIP

    loadbalance vip inservice

    loadbalance policy NON_AUTHENT_PM

    loadbalance vip icmp-reply

Hope this help